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Abstract 

Boolean functions are important building blocks in cryptography for their wide 
application in both stream and block cipher systems. For cryptanalysis of such 
systems one tries to find out linear functions that are correlated to the Boolean 
functions used in the crypto system. Let / be an n-variable Boolean function and its 
Walsh spectra is denoted by Wf(u) at the point to £ {0, l} n . The Boolean function 
is available in the form of an oracle. We like to find an u such that Wf{uj) ^ 
as this will provide one of the linear functions which are correlated to /. We show 
that the quantum algorithm proposed by Deutsch and Jozsa (1992) solves the above 
mentioned problem in constant time. However, the best known classical algorithm to 
solve this problem requires exponential time in n. We also analyse certain classes of 
cryptographically significant Boolean functions and highlight how the basic Deutsch- 
Jozsa algorithm performs on them. 
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1 Introduction 



Many of the symmetric (private) key crypto systems use nonlinear Boolean functions in 
the design process. Nonlinearity is an important property of Boolean functions to resist 
the linear cryptanalysis on block cipher systems like DES. Apart from nonlinearity, 
the Boolean functions should also possess other cryptographic properties. In the nonlinear 
combiner model of stream cipher systems, correlation immunity is an important cryp- 
tographic property for a Boolean function to be used in the schemes |2B1 121] • Both the 
nonlinearity and the correlation immunity can be described in terms of Walsh spectra of the 
Boolean function (see Subsection 11.11 for exact details). Construction of highly nonlinear 
and correlation immune Boolean functions are available in literature (see [23 El 1221 E3 E] 
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and the references in these papers) . Even if a Boolean function is highly nonlinear and cor- 
relation immune of certain order, due to the Parseval's relation jH], there always exist linear 
functions which are correlated to the Boolean function in use. In the design, it is always 
attempted to reduce the correlation, which is the the job of the cryptographer. On the 
other hand, the cryptanalyst tries to exploit the correlation to mount the attack (see [U E] 
and the references in these papers for more details). To device such an attack, one needs a 
linear function which is correlated to the Boolean function. Given an n-variable Boolean 
function /, this requires the Walsh spectra of the Boolean function and the Fast Walsh 
Transform algorithm requires 0(n2 n ) time when the truth table of the Boolean function 
is available. If the Boolean function is available in the form of an oracle (black box), then 
2™ steps are required to get the truth table and then only the Fast Walsh Transform can 
be applied. This is the best known classical algorithm known in this area. On the other 
hand we identify that the well known Deutsch-Jozsa algorithm |7| can solve this problem in 
constant time under the quantum computational framework. It has been commented [T7| 
Page 36] that the Deutsch-Jozsa algorithm has not much application in practical sense. 
This is the first time we show how this algorithm can be used to solve a problem which 
naturally comes from cryptographic domain. 

Now we like to point out the importance of the problem from the quantum complexity 
theoretic viewpoint. For detailed discussion on complexity classes and their hierarchies 
see |17[ The Deutsch-Jozsa problem (distinguishing between balanced and constant 
Boolean functions) presents relativized separation of P and EQP, but not of BPP and BQP. 
In [2], Bernstein and Vazirani presented relativized separation between BPP and BQP using 
recursive Fourier sampling. Though the problem is important from complexity theoretic 
point of view, it has been commented to be artificial pp. Bernstein and Vazirani |Hj have 
further shown the relativized separation of NP and even MA from BQP and conjectured 
that recursive Fourier sampling is not in PH (related discussion is also available in pQ). 
Green and Pruim JU] presented relativized separation between BQP and P^P us i n g a 
nice technique based on Grover's algorithm [H]. Aaronson has commented in pQ that 
it may need a completely different problem than recursive Fourier sampling to provide a 
relativized separation between BQP and PH. The problems we mention here (specifically 
see Problem El in Section |2J may be a good candidate in this direction. 

1.1 Preliminaries: Boolean Functions 

A Boolean function on n variables may be viewed as a mapping from {0, l} n into {0, 1}. 
The set of all n-variable Boolean functions is denoted by Q n . 

A Boolean function f(xi, . . . , x n ) is also interpreted as the output column of its truth 
table f, i.e., a binary string of length 2 n , 

/=[/(o,o,...,o),/(i,o,...,o),/(o,i,...,o),...,/(i,i,...,i)]. 

If a Boolean function is presented as an oracle (a black box), then one can only present an 
n-bit input and get the 1-bit output corresponding to that. Thus, to get the truth table, 
one needs to query the oracle 2 n times in a classical computational model. 
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The Hamming distance between Si, S 2 is denoted by d(Si, S 2 ), i.e., d(Si, S 2 ) = 7^ 
S 2 ). Also the Hamming weight or simply the weight of a binary string S is the number of 
ones in S. This is denoted by wt(S). An n- variable function / is said to be balanced if its 
output column in the truth table contains equal number of O's and l's (i.e., wt(f) = 2 n ~ 1 ). 

Let us denote addition operator over GF(2) by ©. An n-variable Boolean function 
f(xi, . . . ,x n ) can be considered to be a multivariate polynomial over GF{2). This poly- 
nomial can be expressed as a sum of products representation of all distinct fc-th order 
products (0 < k < n) of the variables. More precisely, f(xi, . . . , x n ) can be written as 

<^0 © 0>%Xi © (lijXiXj © ■ ■ • © ayi...nX\X2 ■ ■ ■ X n , 

l<i<n l<i<j'<n 

where the coefficients ao ,a,ij,... , ai2... n G {0,1}. This representation of / is called the 
algebraic normal form (ANF) of /. The number of variables in the highest order product 
term with nonzero coefficient is called the algebraic degree, or simply the degree of / and 
denoted by deg(f). 

Functions of degree at most one are called affine functions. An affine function with 
constant term equal to zero is called a linear function. The set of all n-variable affine 
(respectively linear) functions is denoted by A(n) (respectively L(n)). The nonlinearity of 
an n-variable function / is 

nl(f) = min g€A (n)(d(f,g)), 

i.e., the distance from the set of all n-variable affine functions. 

Let ) and uj = (ui, . . . , u) n ) both belong to {0, 1}™ and the inner product 

X ■ UJ = X X Ui © • • • © X n UJ n . 

Let f(x) be a Boolean function on n variables. Then the Walsh transform of f(x) is a real 
valued function over {0, l} n which is defined as 

w f (u) = i-iy^^. 

x£{0,l} n 

Given a Boolean function /, Wf(u) = #(/ = I) — #(/ 7^ I), where I = u> ■ x is a 
linear function. If Wf(u) = 0, then there is no correlation between / and I. However, if 
Wf(u) > 0, then there is correlation between f,l as #(/ — I) > #(/ 7^ I). Similarly, if 
Wf(u) < 0, then there is correlation between /, 1 © I as #(/ — I) < #(/ 7^ I), which gives 
#(/ = 1 © I) > #(/ 7^ 1 © I). This correlation between the Boolean function / and the 
linear function I (or the affine function 1 © I) is exploited for cryptanalytic attacks [3J ■ 
Thus, given a Boolean function /, it is important to find out some uj such that Wf(uj) 7^ 0. 

It should be noted that getting the Walsh spectra is not an easy problem in general. 
See Algorithm^ in this Section and Proposition^ in Section plater for further discussion. 

In terms of Walsh spectra, the nonlinearity of / is given by 

nl(f) = 2 71 - 1 - - max \W f (uj)\. 
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One important identity related to the Walsh spectra of any n-variable Boolean function 
/ is the Parseval's identity jHj which gives 



W}{uj) = 2 2n . 

wG{0,l} n 

It is clear that the maximum nonlinearity is achieved when the maximum absolute value 
of the Walsh spectra is minimized. For n even, this happens when Wf(ou) = ±2?, for 
each u> E {0, l} n . These functions, having nonlinearity 2 n_1 — 2§ _1 , are well known as 
bent functions in literature [2H1 El • For n odd, | is not an integer and hence the situation 
becomes more complicated. For n < 7, it is known that the maximum possible nonlinearity 
can be2 n " 1 -2V pg. It has been shown in JH] that one can achieve nonlinearity strictly 
greater than 2 n_1 — 2~^~ for n > 15. 

In |12j . an important characterization of resilient (balanced and correlation immune) 
functions has been presented, which we use as the definition here. A function f(x\, . . . , x n ) 
is m-resilient iff its Walsh transform satisfies 

Wf(co) = 0, for < wt(uj) < m. 

As the notation used in [2HI22]; by an (n,m,d,a) function we denote an n-variable, m- 
resilient function with degree d and nonlinearity a. For recent results on such functions 
see j2H 1221 E] and the references in these papers. 

Now let us present the best known classical algorithm for calculating the Walsh spectra 
of a Boolean function. If the function is given as a black box, then one needs to get the 
truth table first, which requires 2 n many query to the oracle. 

Algorithm 1 



Input: 






(i) 


A Boolean function f on n variables is 




available in the form of an oracle (black box); 


1. 


Oracle f is queried 2 n many times to get the truth 
table as an integer array f[0, . . . , 2 n — 1] of 0, 1; 


2. 


for 


{i = 0; i < 2"; i = i + 1) f[i] = (-l) f[i] ; 


3. 


for 


[i — 0; i < n; i — i + 1) { 


3a. 




for (k = 0; k < 2"; k = k + 2 i+1 ) { 


3a(i). 




for (j = k;j < k + 2 { ;j = j + 1) { 


3a(i)A. 




a = f\j] + f[j + 2 i ]; 


3a(i)B. 




b = f[j}-f[j + 2%- 


3a(i)C. 




f[j] = a; 


3a(i)D. 




f[j+2 l }=b; 


3a(ii). 




} 


3b. 




} 


1 


} 
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In the following we present an example how the Algorithm ^ runs. Note that the 
function used is a 3- variable one, and i varies from to 2, i.e., n = 3 steps. The inner 
steps (using k,j) runs 2 3 = 8 many times. 
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1.2 Preliminaries: The Deutsch-Jozsa Algorithm 

Given / is either constant or balanced, one may ask for an algorithm, that can answer 
what exactly it is. In this case the Boolean function / is available in the form of an oracle 
(black box), where one can apply an input to the black box to get the output. A classical 
algorithm needs to check the function for 2 n_1 + 1 many inputs in worst case to decide 
whether the function is constant or balanced. 

Now we discuss the quantum computational model. It is known that given a classical 
circuit /, there is a quantum circuit of comparable efficiency which computes the transfor- 
mation Uf that takes input like \x,y) and produces output like \x,y © f(x)). Given such 
an Uf is available, Deutsch-Jozsa [7] provided a quantum algorithm that can solve this 
problem in constant time. We first present how the quantum circuit looks like in Figure ^ 
and then explain the algorithm in Algorithm^ 



i) 




T 



T 



T 



T 



\i>2) \lp3) 



Figure 1: Quantum circuit to implement Deutsch-Jozsa Algorithm 
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Algorithm 2 Deutsch-Jozsa Algorithm [7] 



1 



|Vo) = |0)*»|1) 



I 
5. 



2. 



3. 




Measurement at M: all zero state implies that the function is constant 



otherwise it is balanced. 



In the next section we will keep the Algorithm El as it is and interpret the Step 5 of it 
according to our need. 



Let us start with some technical results on hardness of calculating the Walsh spectra. 
Proposition 1 A Boolean function f is available in the form of an oracle. 

1. SAT is Turing reducible to computing Walsh transform at the point 0. 

NP 

2. Finding W f (0) is outside P . 

MP 

3. Given a non zero u), finding Wf(u)) is outside P 

Proof : The function / is not satisfiable, iff Wf(0) = 2 n . This proves item 1. 

Now we prove item 2. In [TO], the following problem has been presented which is outside 

P^"' 3 . A Boolean function / with wt(f) either 2 n ~ 2 or 3 • 2 n_2 is given in the form of an 
oracle. One has to identify which one is this. Note that wt(f) = 2 n ~ 2 iff Wf(0) = 2 n_1 
and wt(f) = 3 • 2 n ' 2 iff W f (0) = -2 n_1 . Thus the result. 

The proof of item 3 is as follows. Wf(0) = Wf^.x^u). If the oracle of / is available, 
then it is easy to construct the oracle of / ffi u ■ x. Hence the proof. ■ 

We have already discussed in Algorithm ^ that the best known classical algorithm 
for calculating the Walsh spectra of an n-variable Boolean function requires the truth 
table of size 2 n as an input and then the algorithm requires 0(2 n ) time. Let us now 
describe our interpretation of Deutsch-Jozsa Algorithm in terms of Walsh spectra. Note 

that Sze{o,i}" Ea;e{o,i}» ^"^" 2 ! * ^ = E 2 e{o,i}" ^0^\ z )i i- e -> tlie associated probability 

W 2 (z) 

with a state \z) is 2 J 2n . Hence we have the following result. 

Proposition 2 Given an n-variable Boolean function f , the Deutsch-Jozsa algorithm (Al- 
gorithm^) produces a super position of all the states z e {0, l} n at the measurement point 
M with amplitude W £f > corresponding to each state z. 

Now let us describe the following problem which has been presented in [2] as parity 
problem. 



2 Problems in EQP 
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Problem 1 j2] Let f be an linear n-variable Boolean function, i.e., f(x) = uj-x, available 
in the form of an oracle, Find out the uj. 

For a linear function f(x) — u> • x, Wf(u) = 2 n and Wf(z) = 0, for z ^ u>. Thus the 
observed state of n bits in the Step 5 of Algorithm E] will clearly output uj itself (with 

probability W ^ = 1). Thus the Deutsch-Jozsa algorithm solves this problem in constant 
time. In classical model this problem clearly needs 0(n) time. This difference has been 
exploited and it has been shown that BPP is not equal to BQP with respect to an oracle [2] . 
Now we present the problem we described. 

Problem 2 A Boolean function f is given in the form of an oracle. Find out an uj, such 
that W f (uj) ^ 0. 

The solution to this problem using the Deutsch-Jozsa algorithm works as follows. Let us 
consider that S = {u\W f (oj) ^ 0}. For any uj G {0,l} n \ S, Wf(co) = 0. Note that for 
UJE S, Exeici}^- 1 )^®^ is nonzero and for uj G {0,l} n \S, £ a . 6 {o,i}»(-l) /(se) ® x-a ' is zera 

W 2 (z) 

We have already discussed that the associated probability with a state \z) is * 2n . Here 
the probability associated with \z) is nonzero when z G S and the probability associated 
with \z) is when z G {0, l} n \ S. It is clear that the sum of probabilities associated with 
the states in S is 1. Thus, the state, say cu, observed after the measurement at Step 5 
belongs to S and for the observed uj, Wf(u) ^ 0. Hence the Problem El can be solved in 
constant time using the Deutsch-Jozsa algorithm. 

Based on the above discussion we have the following result. 

Theorem 1 The Problem^ belongs to EQP with respect to the oracle f. 

Now we present a related problem where one needs to find out the maximally correlated 
linear or affine function with respect to /. 

Problem 3 A Boolean function f is given in the form of an oracle. Find out an uj, such 
that \Wf(u)\ = max we { 0i i}« |W/(cj)|. 

Algorithm El does not guarantee the answer to Problem^! Since AlgorithmElis probabilistic 
in nature, it may very well happen that it outputs some uj', for which Wf(u') ^ 0, but 
|W/(o/)| < |W/(u))|. That means we get a linear or affine function which is correlated to 
/, but not maximally correlated. 

There exists a sub class of Boolean functions, the bent functions [20J, for which one 
can solve Problems El El in one step using classical computational model also. For a bent 
function /, Wf(uj) = ±2a , for any uj G {0, l} n . Thus if it is known that the function is a 
bent function, then one can choose any uj and produce that as the output. However, it is 
very clear these problems are not easy in general. 

One very interesting class of Boolean functions are the ones where the Walsh spec- 
tra become three valued 0, ±2 fc . These functions are referred as plateaued functions in 
literature [23 IE] • The class of plateaued functions contains cryptographically significant 
Boolean functions, including certain classes of resilient functions |2"H | l22 [ lfi] and hence these 
functions are actually used in crypto systems. Now consider the following problem. 
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Problem 4 A plateaued Boolean function f (i.e., Wf(to) can take the values 0, ±2 k ) is 
given in the form of an oracle. Find out an Co, such that |W/(o))| = max we { 0i i}n |W/(u;)| ; 
which is equivalent to find out an Co, such that Wf(Co) 7^ 0. 

Clearly Algorithm |21 outputs proper solution in one step, but the best known classical algo- 
rithm till date which can deterministically solve this problem is the Fast Walsh transform 
which requires 0(n2 n ) time in worst case. The information that the Walsh spectra is three 
valued does not help in the calculation of Walsh spectra in a better way on the classical 
model. 

There are different kinds of resilient, correlation immune and other cryptographically 
significant Boolean functions [213 I2H 1221 El IHj with three valued Walsh spectra. These 
functions are used for robust design of crypto systems. Getting a linear or afline function 
which is maximally correlated to the Boolean function in constant time directly helps 
in cryptanalysis of such crypto systems and presents an application to Algorithm |2l the 
Deutsch-Jozsa Algorithm 

We further restrict the Problem 0] and present the following problem to highlight the 
exponential speed up of quantum algorithms over classical domain. 

Problem 5 A plateaued n-variable (n odd) Boolean function f with three valued Walsh 
spectra 0, ±2 _ 2~~ is given in the form of an oracle. Find out an uo, such that Wf(u) 7^ 0. 

Algorithm |2] solves this problem in one step. 

Theorem 2 Problem^ belongs to EQP with respect to the oracle f . 

The best known classical algorithm, fast Walsh transform, needs 0(n2 n ) time and the 
structure of the problem does not reveal anything to present a better deterministic classical 
algorithm. To analyse the situation in more details, let us define restricted Walsh transform. 
The restricted Walsh transform of f(x) on a subset T of {0, l} n is a real valued function 
over {0, l} n which is defined as 

W f (u)\ T = £(-l)/(*)©*-<". 

Any NP machine can guess an to but it is impossible to verify in polynomial time whether 
the value of Walsh spectra at chosen to is non zero. This is because / is presented as a 
black box and thus one needs to query the value of / in at least 2 n ~ 1 + 1 times at the best 
case to decide whether Wf(u) is non zero. Let T C {0, l} n such that \T\ = 2 n ~ 1 + 1. If 
one finds that Wf(u)\x is 2 n_1 + 1 or — 2 n_1 — 1, then it is clear that Wf(u) cannot be 

n + 1 

zero. However, it is not possible to decide whether Wf(u) is or ±2 _ 2~~ from Wf(uo)\T 
when |T| < 2 n ~ 1 . Thus the verification stage needs 0(2 n ) many queries to the oracle at 
the best case. 

Though we can not present any formal proof, it seems that Problem El is outside BPP 
(may be even outside PH) with respect to the oracle / and once such a result can be proved, 
the Deutsch-Jozsa algorithm can be used to present a relativized separation between BPP 
(may be PH) and EQP. This we place as an important open problem in this direction. 
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3 Problems in BQP 

Let us consider a subset of Boolean functions with the following property. 

C n = {f eQ n \d(f,l)<2 n ~ 3 ,leL(n)}. 
Proposition 3 \C n \ = 2 n YTj (T)- 

Proof : Let C l n = {f G tt n \d(f, I) < 2™~ 3 }. Since for distinct l x , l 2 G L(n), d(h, l 2 ) = 2 n ~\ 
we have L\ H = 0. Also it is clear that |£jj| = \£ l *\. Since, \L(n)\ = 2 n , and 
C n = U; g i( n )£^, \C n \ = 2 n \C l n \ for some I G L(n). Now \C l n \ = Ya=q ) as one can 
choose i (0 < i < 2 n ~ 3 ) many positions in the truth table of the linear function I and 
complement them to get an /. This gives the proof. ■ 
From [TBI Page 165], J2i=o (") < 2 uHW , where the binary entropy function H(X) = 
-Alog 2 A - (1 - A)log 2 (l - A). Also it is clear that Ef=o (2»-^ < ^ Thug; 

2 2 - 3 <i/:u = e?:o 3 ( 2 ;)<2 2 "^ ) - 

Let us consider the following problem which is a restricted version of Problem El 

Problem 6 An n-variable (n odd) Boolean function f G C n is given in the form of an 
oracle. Find out an Co, such that |W/(u))| = max we {o,i}n |W/(o;)|. 

Lemma 1 Problem® belongs to BQP with respect to the oracle f . 

Proof: If / G £„, then d(f, Co • x) < 2 n ~ 3 , i.e., W f (Co) > 2 n -2d(f,Co-x) = 2 n -2 n ~ 2 . Thus 
the success probability of Algorithm |21 is > ( 2 ~ 2 — ) 2 = •jg. The probability of getting a 
wrong answer is < ^. ■ 
Now we refine these results a little bit to extend the class C n . Let 

C n>6 = {fe Q n \d(f, I) < (1 + (3 - 2V2 - 4e))2"- 3 , 1 G L(n), < e < 3 ~^ }. 

It is clear that \£ n ,e\ > as 3 — 2 a/2 — 4e > 0, for the given range of e. 

If / G £ n , e , then d(f, Co ■ x) < (1 + (3 - 2 a/2 - 4e))2 n ~ 3 , i.e., W f {Co) >2 n - 2d(f, Co ■ x) = 
2 n_2™- 2 (4-2 v / 2-4e). Thus the success probability of Algorithm His > ( 2 "~ 2{2 2 ^ +4t) ) 2 = 
(^j + e) 2 = \ + \f2e + e 2 > ~ + e. The probability of getting a wrong answer is < ~ — e. 

Noting a/2 < 1.415, one can use a small constant e such that 

£n,e = {/ G fi n |d(/, /) < 1.17 • 2"- 3 , / G L(n)}. 

Based on the above results we present the following problem and corollary. 

Problem 7 An n-variable (n odd) Boolean function f G £ n>e is given in the form of an 
oracle. Find out an Co, such that \Wf{Co)\ = max ue { 0i i)» 

Corollary 1 Problem^ belongs to BQP with respect to the oracle f . 

To the best of our knowledge, there is no other way to solve Problem E] and Problem 
deterministically in classical domain without calculating the Walsh spectra. 
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4 Conclusion 



In this note, we identify a large set of problems which are in EQP or BQP with respect to 
an oracle /, where / is an n-variable Boolean function available in the form of a black box. 
We have used the basic Deutsch-Jozsa algorithm to prove our results and show further 
applications to this well known algorithm. The only known tool to solve these problems 
in classical computational model is calculation of Walsh spectra which requires 0(n2 n ) 
time. It is left open whether these problems are indeed hard to solve from complexity 
theoretic viewpoint. If that can be shown then the problems mentioned here, along with 
the Deutsch-Jozsa algorithm can be used to prove important results related to relativized 
separation between BPP (may be PH) and EQP or BQP. 
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